CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL
First published: Sun May 02 2021(Updated: )
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Airflow | >=1.0.0<1.10.15 | |
| Apache Airflow | >=2.0.0<2.0.2 | |
| pip/apache-airflow | >=2.0.0a1<2.0.2 | 2.0.2 |
| pip/apache-airflow | <1.10.15 | 1.10.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
- https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-28359
- https://github.com/apache/airflow/commit/2fef2ab1bf0f8c727a503940c9c65fd5be208386
- https://github.com/advisories/GHSA-3xxv-p78r-4fc6 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-4.yaml
Frequently Asked Questions
What is CVE-2021-28359?
CVE-2021-28359 is a vulnerability in Apache Airflow that allows for XSS exploits through the 'origin' parameter passed to endpoints like '/trigger'.
Which versions of Apache Airflow are affected by CVE-2021-28359?
CVE-2021-28359 affects Apache Airflow versions <1.10.15 in the 1.x series and versions 2.0.0, 2.0.1, and 2.x series.
How severe is CVE-2021-28359?
CVE-2021-28359 has a severity rating of 6.1 (medium).
How can CVE-2021-28359 be exploited?
CVE-2021-28359 can be exploited through an XSS (Cross-Site Scripting) attack by manipulating the 'origin' parameter in certain endpoints like '/trigger'.
Is there a fix available for CVE-2021-28359?
Yes, you can mitigate CVE-2021-28359 by updating Apache Airflow to version 1.10.15 for the 1.x series or version 2.0.2 for the 2.x series.
- collector/nvd-index
- agent/type
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3xxv-p78r-4fc6
- alias/CVE-2021-28359
- agent/last-modified-date
- agent/references
- agent/tags
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- vendor/apache
- canonical/apache airflow
- version/apache airflow/1.0.0
- version/apache airflow/2.0.0
- package-manager/pip